W3C home > Mailing lists > Public > semantic-web@w3.org > May 2021

Re: Chartering work has started for a Linked Data Signature Working Group @W3C

From: Manu Sporny <msporny@digitalbazaar.com>
Date: Thu, 6 May 2021 00:02:52 -0400
To: Eric Prud'hommeaux <eric@w3.org>
Cc: Dan Brickley <danbri@google.com>, Phil Archer <phil.archer@gs1.org>, Ivan Herman <ivan@w3.org>, Dan Brickley <danbri@danbri.org>, Aidan Hogan <aidhog@gmail.com>, Pierre-Antoine Champin <pierre-antoine@w3.org>, Ramanathan Guha <guha@google.com>, semantic-web <semantic-web@w3.org>
Message-ID: <2122fff4-741b-2817-300e-aabb46edeea7@digitalbazaar.com>
On 5/4/21 1:13 PM, Eric Prud'hommeaux wrote:
>> The Linked Data Signatures signing algorithm consists of 4 phases:
>> 1. Canonicalization of input data
>> 2. Cryptographic hashing
>> 3. Digitally signing
>> 4. Expressing the signature
>> RDF really only comes into play in steps #1 and #4... and it's possible for it
>> to not come into play at all.
> Isn't the same true of XML dsig (or any other canonicalized signature stack)?

Ha! You're absolutely right. I over-generalized. Hmmm... thinking.

Let's take a concrete example in JSON-LD. In step #1, you can choose to 
do RDF Dataset Canonicalization or JCS. Then you do step #2, and #3, no 
problem. When you go to express the signature in #4, you can express it 
in JSON-LD, but when you do this, someone doing just regular 'ol JSON 
can use the data too.

In this scenario, there are a subset of developers that never go to RDF 
(and it's valid and works for their use case).

> I don't think a WG should foster much creativity. WG's need tight
> charters to get something out the door fast enough to be useful. W3C
> typically spends a lot of time wordsmithing that to make sure that
> companies know what they're signing up for WRT patent disclosures and
> engineer commitments.

Yes, agree, we need a very tight charter, highly focused. I'm just 
responding because the question was asked: "Why isn't this just all 
about RDF?"... well, it's because of the use case above.

I do think we should put that stuff out of scope, or write a NOTE about 
it... I just want people to be aware that these use cases exist and we 
should be careful not to accidentally make them impossible.

> What conversations would it reallistically stifle and are those
> conversations that should happen in a WG?

We don't want those conversations to happen in the WG (at least, not a 
lot of them... because they will be a distraction). At the same time, we 
don't want to make those other use cases, which are possible and 
implemented today... impossible and incompatible when we're done.

> Same page wrt. focus, true. Different weighting of concerns about the
> WG's ability to focus and deliver. In my experience, WGs are pretty
> vulnerable to scope creep. SPARQL spent 18 months arguing about OWL
> use cases that you couldn't even detect with SPARQL Results (the chair
> DanC later said "if only I had known at the time" when I pointed that
> out).

Yes, perhaps writing down all of our scope creep fears and putting them 
in "Out of Scope, but maybe for a future WG" might be useful?

 From a scope and focus perspective, I'd be comfortable going further:

We do RDF Dataset Canonicalization first, using the input documents... 
no, really, there are mathematical proofs and years of work that went 
into them. If someone wants to have a bright idea about a new way to do 
RDC, great... but later -- do not derail the group unless you have 
significant proofs, papers, and a community of implementers. Let's get 
the current stuff locked down and shipped.

We then move on to the hashing stuff, which again, should be fairly 
straight forward... but razor sharp focus on that until we're done.

Then Linked Data Integrity/Signatures... and the vocabulary... whatever 
we want to call it. Focus on the stuff that's being used in production 
today -- we have at least 8 companies already interoperating at that 
layer with test suites -- get that analyzed/locked in.

... and then we'll need to recharter to go further. The order and 
priority above is important... and the group really has to try very hard 
not to get distracted... and almost all of it is "RDF stuff"... except 
for the very small bit of it that's not, that we can document, but not 
spend a whole lot of time on.

Does that resonate with folks?

-- manu

Manu Sporny (skype: msporny, twitter: manusporny)
Founder/CEO - Digital Bazaar, Inc.
blog: Veres One Decentralized Identifier Blockchain Launches
Received on Thursday, 6 May 2021 04:03:50 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 6 May 2021 04:03:51 UTC